cybergate | a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb

Analysis

max time kernel
366s
max time network
425s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2022, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe
Size

360KB
MD5

355ad39efbfad761e1d19ae27ba31196
SHA1

b59089df31720872faf6a1c775212c41c44edcda
SHA256

a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb
SHA512

faf5c9778cb4280c6733c3d186dfa08779e1c8643c1f3047a61879e0cc8d3faaafdd2c6df2695c7cf729fb22d30250c158ce3a5f4cbe882e59337ceaee39e843
SSDEEP

6144:mzCbX6tP+rODx8iCwUT9IS9cJ6DNcrBWRzNxbAGbU04kEe5bB9V:mzDt4Oy0UT9Isl0BEzNxcGbL4kN9V

Score

10^/10

cybergate infectado persistence stealer trojan upx

Malware Config

Extracted

Family

cybergate

Version

2.6

Botnet

Infectado

skiinner.no-ip.org:1338

Mutex

***MUTEX***

Attributes

enable_keylogger
true
enable_message_box
false
ftp_directory
./logs/
ftp_interval
5
injected_process
explorer.exe
install_dir
Filles
install_file
ctfmon.exe
install_flag
true
keylogger_enable_ftp
false
message_box_caption
Você Acaba De Ser Hackeado... Com Sucesso!!!
message_box_title
Hackeado!!!
password
123
regkey_hkcu
ctfmon
regkey_hklm
IgfxTray

Signatures

CyberGate, Rebhip
CyberGate is a lightweight remote administration tool with a wide array of functionalities.
trojan stealer cybergate

Adds policy Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\system32\\Filles\\ctfmon.exe"	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	tmp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ctfmon = "C:\\Windows\\system32\\Filles\\ctfmon.exe"	tmp.exe

Executes dropped EXE 1 IoCs

pid	Process
5012	tmp.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{08B0E5JF-4FCB-11CF-AAA5-00401C6XX500}\StubPath = "C:\\Windows\\system32\\Filles\\ctfmon.exe Restart"	tmp.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/5012-138-0x0000000024010000-0x0000000024072000-memory.dmp	upx

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ctfmon = "C:\\Windows\\system32\\Filles\\ctfmon.exe"	tmp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run	tmp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\IgfxTray = "C:\\Windows\\system32\\Filles\\ctfmon.exe"	tmp.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows\CurrentVersion\Run	tmp.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Filles\ctfmon.exe	tmp.exe
File created	C:\Windows\SysWOW64\Filles\ctfmon.exe	tmp.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5012	tmp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
508	a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 5012	508	a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe	80
PID 508 wrote to memory of 5012	508	a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe	80
PID 508 wrote to memory of 5012	508	a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe	80
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45
PID 5012 wrote to memory of 2396	5012	tmp.exe	45

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2396
- C:\Users\Admin\AppData\Local\Temp\a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe
  "C:\Users\Admin\AppData\Local\Temp\a711ec472e6952a2a0fabe62ee0bb4e1cba57e6e07b46bfea27e8d374d2b72cb.exe"
  2⤵
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:508
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    C:\Users\Admin\AppData\Local\Temp\tmp.exe
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Modifies Installed Components in the registry
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:5012
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4652

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
332KB

MD5
b54f4f72d64f20f139cd21edc450cb18

SHA1
42e78e39cf12ba30095928a68924fcda0f37128e

SHA256
58fb3aa3201db826f367aee970f8defe345b7e4ba41dcc2c9374b853cdc48647

SHA512
352557662abf5e677071edfe7b6c2694027aa53cc30b4f9c4c076fe4af47943e8bd8f528c1c209b72066a8a8bdd66bb0c7e9caa5d0ba8f159ece269514524151

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp.exe

Filesize
332KB

MD5
b54f4f72d64f20f139cd21edc450cb18

SHA1
42e78e39cf12ba30095928a68924fcda0f37128e

SHA256
58fb3aa3201db826f367aee970f8defe345b7e4ba41dcc2c9374b853cdc48647

SHA512
352557662abf5e677071edfe7b6c2694027aa53cc30b4f9c4c076fe4af47943e8bd8f528c1c209b72066a8a8bdd66bb0c7e9caa5d0ba8f159ece269514524151

Download Submit
memory/5012-138-0x0000000024010000-0x0000000024072000-memory.dmp

Filesize
392KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads